Abstract:APT attacks have the characteristics of low frequency, stealth, and persistence. Achieving attack objectives and preventing trace-back often involve diverse tactics, various tools, and changing processes and patterns. Additionally, the goals of APT attacks are diverse. Apart from service disruptions or network outages, the main goals include remotely penetrating target hosts through the network to steal information, unauthorized encryption, and destructive wiping. Existing methods for characterizing attack features lack sufficient research on the communication methods and data transmission patterns used in attacks. In particular, due to the non-associated addresses, low frequency, fragmentation, and silent requirements of attacks, the features exhibited in a single session are increasingly minimal. Traditional approaches are no longer sufficient to address these challenges that relying solely on single-sample statistical features and "packet-sniffing" windowed traffic grouping detection methods. To tackle these issues, we propose a innovative approach to characterize network attack traffic based on Spatial Pyramid Pooling (SPP) by analyzing the attack communication methods and data transmission patters in the network session traffic of APT attacks with the remote information theft. Specifically, it employs derived feature attributes that integrate mean, total, and concentration characteristics to longitudinally extract multi-level spatiotemporal correlated behavioral features from aggregated multi-session sets. These features are then fused with single-session characteristics, ensuring that each session sample possesses both current traffic features and correlated properties of contextual session traffic. Additionally, this approach meets the requirements of fixed-length input for heterogeneous data in deep learning. Extensive experiments have been conducted to demonstrate that this method enhances the effective detection of APT attacks by deep learning models. Experiments results show that this approach exhibits superior timeliness, precision, and specificity when compared to Principal Component Analysis (PCA) artificial feature engineering methods and other methods based on fixed-length deep learning for raw data.

An anomaly behavior characterization method of network traffic based on Spatial Pyramid Pool (SPP)

Packet Payload Based Anomalous Network Intrusion Detection

Construction of Two Statistical Anomaly Features for Small-Sample APT Attack Traffic Classification

APT Traffic Detection Based on Time Transform

A Temporal Correlation and Traffic Analysis Approach for APT Attacks Detection.

A novel approach for APT attack detection based on an advanced computing

A Novel Network Forensic Framework for Advanced Persistent Threat Attack Attribution Through Deep Learning

Discovering Unknown Advanced Persistent Threat Using Shared Features Mined by Neural Networks.

An Adaptive Profile-Based Approach for Detecting Anomalous Traffic in Backbone.

A spatial-temporal correlation based method for advanced persistent threat detection

An Attack Traffic Identification Method Based on Temporal Spectrum

Feature extraction and construction of application layer DDoS attack based on user behavior

A Feature Analysis Approach to Network Traffic in Communication Networks

Notice of Retraction: Efficient Feature Extraction Using Apache Spark for Network Behavior Anomaly Detection

A Segmented Sliding Window-Based Comprehensive Periodic Feature Extraction Method for APT Classification

Anti-Attack Intrusion Detection Model Based on MPNN and Traffic Spatiotemporal Characteristics

A hybrid ensemble machine learning model for detecting APT attacks based on network behavior anomaly detection

A novel approach for APT attack detection based on feature intelligent extraction and representation learning

Advanced Persistent Threat intelligent profiling technique: A survey

Uncovering APT Malware Traffic Using Deep Learning Combined with Time Sequence and Association Analysis

Towards A Multi-Layers Anomaly Detection Framework for Analyzing Network Traffic